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AMENDMENTS TO THE CLAIMS; 

Please cancel Claims 10-12 and 16, without prejudice.] 
Please amend Claims 1-9 and 13-15 as follows.) 

1. (Currently amended) A safety verification device of a an electronic reactive system 
such as a cipher communication system or control system for a nuclear reactor or aircraft, 
represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set of terms, 
and a selected set of terms to be verified, said set of axioms being a set consisting only a 
commutative law and an associative law, and said safety verification device of a reactive system 
comprising^ a processing unit, a recording unit, a translation unit, a simulation unit and a set 
operation unit, wherein: 

said set of function symbols, said set of rewriting rules, said set of axioms, said set of 
terms, and said selected set of terms to be verified are recorded in said recording unit; 

a said translation unit is controlled by said processing unit to read out said set of axioms 
and said set of terms from said recording unit and to generate generating , under said set of 
axioms, a first equational tree automaton which accepts said set of terms; 

a said simulation unit is controlled by said processing unit to read out said set of rewriting 
rules, said set of axioms and said set of terms from said recording unit and to generate 
g e n e rating , under said set of rewriting rules and said set of axioms and using said first equational 
tree automaton as initial data, a second equational tree automaton which accepts said set of terms 
and a set that comprises comprising terms derived from said set of terms; and 

a said set operation unit is controlled by said processing unit whieh to generate generat e s ^ 
using said second equational tree automaton and said selected set of terms to be verified, a fourth 
equational tree automaton by associating said second equational tree automaton with a third 
equational tree automaton which accepts said selected set of terms to be verified and to determine 
d e termines whether or not a set accepted by the fourth equational tree automaton is an empty set; 

said second equational tree automaton is generated through first and second repetition 
processes; 

wherein said first repetition process comprises: 
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(A) setting said first equational tree automaton to initial data; 

(B) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of terms by rewriting all terms which are included in a fifth 
equational tree automaton obtained in a last process performed according to the rewriting rule 
f(c p,1 t u...,c p i \ n ) --> c P ! |j ,, wherein a function symbol of said element p is described as f, argument 
terms are described as tu,..,^, and a term 1 ^ corresponding to said element p is described as 

(D) obtaining a sixth equational tree automaton by performing repeatedly said (B) 
selecting and (O determining processes regarding all elements p positioned at the ends of said 
tree-structure of said first group; and 

wherein said second repeated process comprises: 

(E) setting said sixth equational tree automaton to initial data; 

(F) selecting an element q from a second group which consists of position 
information in a tree- structure when right sides of equations, each of said equations 
corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

(G) determining a set of terms by rewriting all terms which are included in a 
seventh equational tree automaton obtained in a last process performed according to the rewriting 

rule f(d q l H d q n m ) --> d q r| a, wherein a function symbol of said element q is described as f 

ar gument terms are described as t i „,„tn, and a term % corresponding to said element q is 
described as f(h t n ); and 

(H) obtaining said second equational tree automaton by performing repeatedly 
said (F) selecting and (G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said second group , 
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2. (Currently amended) A safety verification device of a an electronic reactive system 
such as a cipher communication system or control system for a nuclear reactor or aircraft, 
represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set of terms, 
and a selected term to be verified, said set of axioms being a set consisting only a commutative 
law and an associative law, and said safety verification device of a reactive system comprising^ 
processing unit, a recording unit, a translation unit, a simulation unit and a set operation unit, 
wherein; 

said set of function symbols, said set of rewriting rules, said set of axioms, said set of 
terms, and said selected term to be verified are recorded in said recording unit; 

a said translation unit is controlled by said processing unit to read out said set of axioms 
and said set of terms from said recording unit and to generate g e n e rating , under said set of 
axioms, a first equational tree automaton which accepts said set of terms; 

a said simulation unit is controlled by said processing unit to read out said set of rewriting 
rules, said set of axioms and said set of terms from said recording unit and to generate 
g e n e rating , under said set of rewriting rules and said set of axioms and using said first equational 
tree automaton as initial data, a second equational tree automaton which accepts said set of terms 
and a set that comprises comprising terms derived from said set of terms; and 

a said set operation unit is controlled by said processing unit to determine determining 
whether or not said second equational tree automaton accepts said selected term to be verified^ 

said second equational tree automaton is generated through first and second repetition 
processes; 

wherein said first repetition process comprises: 

(A) setting said first equational tree automaton to initial data; 

(B) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of terms by rewriting all terms which are included in a fifth 
equational tree automaton obtained in a last process performed according to the rewriting rule 
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f(c p ' ti c p n tn ) --> 0%, wherein a function symbol of said element p is described as f, argument 

terms are described as h t». and a term 1 ^ corresponding to said element p is described as 

(D) obtaining a sixth equational tree automaton by performing repeatedly said (B) 
selecting and (C) determining processes regarding all elements p positioned at the ends of said 
tree-structure of said first group; and 

wherein said second repeated process comprises: 

(E) setting said sixth equational tree automaton to initial data; 

(F) selecting an element q from a second group which consists of position 
information in a tree-structure when right sides of equations, each of said equations 
corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein s aid element q is posit ioned at the end of said tree-structure; 

(G) determining a set of terms by rewriting all terms which are included in a 
seventh equational tree automaton obtained in a last process performed according to the rewriting 
rule f(d q l n,- : .,d q ' n tn) d^ , wherein a function symbol of said element q is described as f, 

argument terms are described as U t Q , and a term r ^ corresponding to said element q is 

described as fCt^ .^t n); and 

(H) obtaining said second equational tree automaton by performing repeatedly 
said (F) selecting and (G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said se cond group. 

3. (Currently amended) A safety verification device of a reactive system according to 
claim 1, wherein said set of function symbols is a set comprising function symbols representing 
encryption, decryption and communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 
encrypted information is returned to plaintext by decryption, 

said selected term to be verified is confidential information, and 



Appl No. 
Filed 



10/521,671 
September 15, 2005 



said set of terms is a set of knowledge of each of subjects that exchange confidential 
information, and a set of knowledge of a subject that monitors the information exchanged 
between said subjects. 

4. (Currently amended) A safety verification method of a an electronic reactive system 
such as a cipher communication system or control system for a nuclear reactor or aircraft, 
represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set of terms, 
and a selected set of terms to be verified, said set of axioms being a set consisting only a 
commutative law and an associative law, said method being executed by a computer comprising 
a processing unit and a recording unit, and said method comprising: 

a first step in which said processing unit reads out said set of axioms and said set of terms 
from said recording unit and ef generates gen e rating , under said set of axioms, a first equational 
tree automaton which accepts said set of terms; 

a second step in which said processing unit reads out said set of rewriting rules, said set 
of axioms and said set of terms from said recording unit and ef generates gen e rating , under said 
set of rewriting rules and said set of axioms and using said first equational tree automaton as 
initial data, a second equational tree automaton which accepts said set of terms and a set ef that 
comprises terms derived from said set of terms; and 

a third step in which said processing unit ef generates generating , using said second 
equational tree automaton and said selected set of terms to be verified, a fourth equational tree 
automaton by associating said second equational tree automaton with a third equational tree 
automaton which accepts said selected set of terms to be verified and said processing unit 
determines determining whether or not a set accepted by the fourth equational tree automaton is 
an empty se t, wherein said second step comprises first and second repetition processes; 

wherein said first repetition process comprises: 

(A) setting said first equational tree automaton to initial data; 
fB) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
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to a rewriting rule in said set of rewriting rules, are described in tree- structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of terms by rewriting all terms which are included in a fifth 
equational tree automaton obtained in a last process performed according to the rewriting rule 
f(c p,1 t N...,c p ' n t n) --> c^, wherein a function symbol of said element p is described as f, argument 
terms are described as tu..„t n , and a term 1 ^ corresponding to said element p is described as 

(D) obtaining a sixth equational tree automaton by performing repeatedly said (B) 
selecting and (C) determining processes regarding all elements p positioned at the ends of said 
tree-structure of said first group; and 

wherein said second repeated process comprises: 

(E) setting said sixth equational tree automaton to initial data; 

(F) selecting an element q from a second group which consists of position 
information in a tree-structure when right sides of equations, each of said equations 
corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

(G) determining a set of terms by rewriting all terms which are included in a 
seventh equational tree automaton obtained in a last process performed according to the rewriting 

rule f(d q l n d qn m ) --> d^, wherein a function symbol of said element q is described as f, 

argument terms are described as t L t„, and a term % corresponding to said element q is 

described as f(tj U; and 

(H) obtaining said second equational tree automaton by performing repeatedly 
said (F) selecting and (G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said second group . 

5. (Currently amended) A safety verification method of a an electronic reactive system 
such as a cipher communication system or control system for a nuclear reactor or aircraft. 
represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set of terms, 
and a selected term to be verified, said set of axioms being a set consisting only a commutative 



Appl No. 
Filed 



10/521,671 
September 15, 2005 



law and an associative law, said method being executed by a computer comprising a processing 
unit and a recording unit, and said method comprising: 

a first step in which said processing unit reads out said set of axioms and said set of terms 
from said recording unit and ef- generates generating , under said set of axioms, a first equational 
tree automaton which accepts said set of terms; 

a second Step in which said processing unit reads out said set of rewriting rules, said set 
of axioms and said set of terms from said recording unit and ef generates generating , under said 
set of rewriting rules and said set of axioms and using said first equational tree automaton as 
initial data, a second equational tree automaton which accepts said set of terms and a set ef that 
comprises terms derived from said set of terms; and 

a third step in which said processing unit ef determines determining whether or not said 
second equational tree automaton accepts said selected term to be verified , wherein said second 
step comprises first and second repetition processes; 

wherein said first repetition process comprises: 

(A) setting said first equational tree automaton to initial data; 

(B) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of terms by rewriting all terms which are included in a fifth 
equational tree automaton obtained in a last process performed according to the rewriting rule 
f(c p "V--,c p "t n) --> 0% , , wherein a function symbol of said element p is described as f, argument 
terms are described as U t n , and a term 1 ^ corresponding to said element p is described as 

(D) obtaining a sixth equational tree automaton by performing repeatedly said (B) 
selecting and (C) determining processes regarding all elements p positioned at the ends of said 
tree-structure of said first group; and 

wherein said second repeated process comprises: 

(E) setting said sixth equational tree automaton to initial data; 
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(F) selecting an element q from a second group which consists of position 
information in a tree-structure when tight sides of equations, each of said equations 
corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

(G) determining a set of terms by rewriting all terms which are included in a 
seventh cquational tree automaton obtained in a last process performed according to the rewriting 

rule f(d q ' n d q n m) --> d^, wherein a function symbol of said element q is described as f, 

argument terms are described as t j_ ,...,t n . and a term % corresponding to said element q is 
described as f(tu...,tn); and 

(H) obtaining said second equational tree automaton b y perform in g rep eatedly 
said (F) selecting and ( G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said second group . 

6. (Currently amended) A safety verification method of a reactive system according to 
claim 4, wherein said set of function symbols is a set comprising function symbols representing 
encryption, decryption and communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 
encrypted information is returned to plaintext by decryption, 

said selected term to be verified is confidential information, and 

said set of terms is a set of knowledge of each of subjects that exchange confidential 
information, and a set of knowledge of a subject that monitors the information exchanged 
between said subjects. 

7. (Currently amended) A computer-readable recording medium containing a reactive 
system safety verification computer program, said reactive system being an electronic system 
such as a ci pher communication system or control system for a nuclear reactor or aircraft, said 
computer program being executed by a computer comprising a processing unit and a recording 
unit, and said computer program compri sing : 
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a first program code which makes said processing unit to accept accepts an input of a 
procedure represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set 
of terms, and a selected set of terms to be verified and to record said procedure in said recording 
unit ; 

a second program code which makes said processing unit to read out said set of axioms 
and said set of terms from said recording unit and to generate generate s, under said set of axioms 
consisting only of a commutative law and an associative law, a first equational tree automaton 
which accepts said set of terms; 

a third program code which makes said processing unit to read out said set of rewriting 
rules, said set of axioms and said set of terms from said recording unit and to generate g e n e rat e s , 
under said set of rewriting rules and said set of axioms and using said first equational tree 
automaton as initial data, a second equational tree automaton which accepts said set of terms and 
a set ef that comprises terms derived from said set of terms; and 

a fourth program code which makes said processing unit to generate generates , using said 
second equational tree automaton and said selected set of terms to be verified, a fourth equational 
tree automaton by associating said second equational tree automaton with a third equational tree 
automaton which accepts said selected set of terms to be verified and to determine determines 
whether or not a set accepted by the fourth equational tree automaton is an empty set , wherein 
said second program code makes said processing unit to execute first and second repetition 
processes; 

wherein said first repetition process com prises: 

(A) setting said first equational tree automaton to initial data; 

(B) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(O determining a set of terms by rewriting all terms which are included in a fifth 
equational tree automaton obtained in a last process performed according to the rewriting rule 
f(c p l tj,...,c p n m ) --> c\ , wherein a function symbol of said element p is described as f argument 
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terms are described as tu...,t n , and a term 1^ corresponding to said element p is described as 

(D) obtaining a sixth equational tree automaton by performing repeatedly said (B) 
selecting and (C) determining processes regarding all elements p positioned at the ends of said 
tree-structure of said first group; and 

wherein s aid second repeated process comprises: 

(E) setting said sixth equational tree automaton to initial data; 

(F) selecting an element q from a second group which consists of position 
information in a tree-structure when right sides of equations, each of said equations 
corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

fG) determining a set of terms by rewriting all terms which are included in a 
seventh equational tree automaton obtained in a last process performed a ccording to the rewriting 

rule ffd q,1 n d q V) --> d^ wherein a function symbol of said elem ent q is d escribed as f, 

argument terms are described as U t B , and a term % corresponding to said element q is 

described as f(h t n ); and 

(H) obtaining said second equational tree automaton by performing repeatedly 
said (F) se lecting and (G) determining processes regardin g all elements q positioned at the ends 
of said tre e- structure of said second group, 

8. (Currently amended) A computer-readable recording medium containing a reactive 
system safety verification computer program, said reactive system being an electronic system 
such as a cipher communication system or control system for a nuclear reactor or aircraft, said 
computer program being executed by a computer comprising a processing unit and a recording 
unit, and said computer program comprising: 

a first program code which makes said process in g unit to accept aee e pts an input of a 
procedure represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set 
of terms, and a selected term to be verified and to record said procedure in said recording unit ; 
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a second program code which makes said processing unit to read out said set of axioms 
and said set of terms from said recording unit and to generate g e n e rat e s , under said set of axioms 
consisting only of a commutative law and an associative law, a first equational tree automaton 
which accepts said set of terms; 

a third program code which makes said processing unit to read out said set of rewriting 
rules, said set of axioms and said set of terms from said recording unit and to generate g e nerat e s , 
under said set of rewriting rules and said set of axioms and using said first equational tree 
automaton as initial data, a second equational tree automaton which accepts said set of terms and 
a set ef that comprises terms derived from said set of terms; and 

a fourth program code which makes said processing unit to determine d e t e rmines whether 
or not said second equational tree automaton accepts said selected term to be verified , wherein 
said second program code makes said processing unit to execute first and second repetition 
processes; 

wherein said first repetition process comprises: 

(A) setting said first equational tree automaton to initial data; 

(B) selecting an element p from a first group which consists of position 
information in a tree- structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of terms by rewriting all terms which are included in a fifth 
equational tree automaton obtained in a last process performed according to the rewriting rule 

f(c p l H c P V) -> c P [|!, , wherein a function symbol of said element p is described as f, argument 

terms are described as h t n , and a term 1 ^ corresponding to said element p is described as 

ffti,-,U: 

(D) obtaining a sixth equational tree automaton by performing repeatedly said (B) 
selecting and (C) determining processes regarding all elements p positioned at the ends of said 
tree-structure of said first group; and 

wherein said second repeated process comprises: 

( E) setting said sixth equational tree automaton to initial data; 
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(F) selecting an element q from a second group which consists of position 
information in a tree-structure when right sides of equations, each of said equations 
corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

(G) determining a set of terms by rewriting all terms which are included in a 
seventh equational tree automaton obtained in a last process performed according to the rewriting 
rule f(d q i u,---,d qn tn ) — > d^, wherein a function symbol of said element q is described as f, 

argument terms are described as t ^ t„, and a term % corresponding to said element q is 

described as f(U t n ); and 

(ID obtaining said second equational tree automaton by performing repeatedly 
said (F) selecting and (G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said second group . 

9. (Currently amended) A computer-readable recording medium containing a reactive 
system safety verification computer program according to claim 7, wherein said set of function 
symbols is a set comprising function symbols representing encryption, decryption and 
communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 
encrypted information is returned to plaintext by decryption, 

said selected term to be verified is confidential information, and 

said set of terms is a set of knowledge of each of subjects that exchange confidential 
information, and a set of knowledge of a subject that monitors the information exchanged 
between said subjects. 

10-12. (Cancelled) 

13. (Currently amended) A safety verification device of a reactive system according to 
claim 2, wherein said set of function symbols is a set comprising function symbols representing 
encryption, decryption and communication processing as elements, 
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said set of rewriting rules is a set comprising as an element a rule representing that 
encrypted information is returned to plaintext by decryption, 

said selected term to be verified is confidential information, and 

said set of terms is a set of knowledge of each of subjects that exchange confidential 
information, and a set of knowledge of a subject that monitors the information exchanged 
between said subjects. 

14. (Currently amended) A safety verification method of a reactive system according to 
claim 5, wherein said set of function symbols is a set comprising function symbols representing 
encryption, decryption and communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 
encrypted information is returned to plaintext by decryption, 

said selected term to be verified is confidential information, and 

said set of terms is a set of knowledge of each of subjects that exchange confidential 
information, and a set of knowledge of a subject that monitors the information exchanged 
between said subjects. 

15. (Currently amended) A computer-readable recording medium containing a reactive 
system safety verification computer program according to claim 8, wherein said set of function 
symbols is a set comprising function symbols representing encryption, decryption and 
communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 
encrypted information is returned to plaintext by decryption, 

said selected t erm to be verified is confidential information, and 

said set of terms is a set of knowledge of each of subjects that exchange confidential 
information, and a set of knowledge of a subject that monitors the information exchanged 
between said subjects. 

16. (Cancelled) 
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